0

I am trying to use Google Calendar API to access the calendar of various users in our organization calendars using OAuth2.0 and a service account but I get an error

"invalid_request" "Invalid impersonation prn email address.".

In the Google console I have:
- Created a project
- Created a service account and enabled "Domain wide delegation" and given the "Project Owner" role, then got a P12 key.
- In Security > Advanced settings > Authentication > Manage API client access I have given the serviceaccount access to https://www.googleapis.com/auth/calendar.readonly. 

using System;
using System.Windows.Forms;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Calendar.v3;
using Google.Apis.Services;
using System.Security.Cryptography.X509Certificates;

namespace Google_Calendar
{
  public partial class Form1 : Form
  {
    public Form1()
    {
      InitializeComponent();
    }

    private void button2_Click(object sender, EventArgs e)
    {
      string GoogleCertificate = @"testcalendar-209521-772939e76cae.p12"; // keyfile filename 
      string GoogleEmail = @"[email protected]"; // serviceaccount mail
      string GoogleUser = "MyServiceAccount"; // serviceaccount name
      string[] Scopes = new string[] { "https://www.googleapis.com/auth/calendar.readonly" };

      X509Certificate2 certificate = new X509Certificate2(GoogleCertificate, "notasecret", X509KeyStorageFlags.Exportable);
      ServiceAccountCredential credential = new ServiceAccountCredential( new ServiceAccountCredential.Initializer(GoogleEmail)
        {
          Scopes = Scopes,
          User = GoogleUser
        }.FromCertificate(certificate));
      CalendarService service = new CalendarService(new     BaseClientService.Initializer() { HttpClientInitializer = credential,     ApplicationName = "testcalendar" });

      string CalenderID = "[email protected]";
      var CalRequest = service.Events.List(CalenderID);
      CalRequest.TimeMin = DateTime.Now.AddMonths(-1); //optional parameter
      CalRequest.TimeMax = DateTime.Now.AddMonths(+1); //optional parameter
      do
      {
        var events = CalRequest.Execute();  // here I get the error
        foreach (var item in events.Items)
        {
          // do stuff
        }
        CalRequest.PageToken = events.NextPageToken;
      } while (CalRequest.PageToken != null);
    }
  }
}

Any ideas what the problem might be? I think the problem is in my settings in Google somewhere. Do I miss a step there?

Improve this question
6
  • The user email configured in the platform is incorrect or doesn’t exist in your G Suite. Commented Jul 9, 2018 at 9:09
  • The user email [email protected] does exist in my G Suite. (But I get the same error if I use a non existing email address) The address is the primary mail address and the user is active. Commented Jul 9, 2018 at 9:47
  • and the service account has access to Gsuite? Commented Jul 9, 2018 at 10:05
  • Do I need to give the service account any access in addition to what I did in Security > Advanced settings > Authentication > Manage API client access where I gave the serviceaccount access to googleapis.com/auth/calendar.readonly? Commented Jul 9, 2018 at 10:47
  • developers.google.com/admin-sdk/directory/v1/guides/delegation developers.google.com/calendar/… Commented Jul 9, 2018 at 11:18

1 Answer 1

Reset to default
0

With some help from Google support I solved the problem(s).

1: Where I had used the service account user
string GoogleUser = "MyServiceAccount";
I should have used an impersonate user
string GoogleUser = "MyAdminUser";

2: When I added the scopes on my Admin Console, I added it by using the Service Account email, which then got translated visually to the ClientID of my Project and everything seemed to be ok. But it was not. When I instead used the ClientID everything worked correct.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.